This tutorial will teach you how to secure your website from such privacy concerns and in doing so reap the additional benefits that a website gains by running over HTTPS.

After installing SSL certificates in the past I know only too well the struggles that one can face, but when looking into Let's Encrypt for Assortment, I was pleasantly surprised to find just how it simple it was to setup; something I'm sure you'll all echo at the conclusion of this post.

Now I appreciate there may be some of you still unsure what an SSL certificate actually is, or more importantly what it does. If that's you, stick around for the next section of this post and I'll explain exactly that, otherwise feel free to skip to the tutorial itself.

What is an SSL certificate?

Defined officially as a 'Secure Socket Layer', an SSL certificate is a piece of technology that allows your users to establish a secure connection between themselves and your website (or rather the server it is hosted on), encrypting any messages or other information sent back and fourth between the two.

When going to a website you request the contents of that page from the server it is hosted on. In turn, the server will then answer your call with the requested content for you to download and display in your browser.

Fig 1: A typical request to a server over HTTP protocol

However, when requesting secure content from a website behind an SSL certificate, you in turn request a level of validation from the website's server in order to verify it's authenticity before downloading any files. This verification is typically conducted by a third-party organisation known as a Certificate Authority, just like Let's Encrypt.

Fig 2: A typical request to a server over HTTPS protocol

In essence you can treat an SSL certificate as a middleman that ensures everyone is safe and secure while transactions take place. In this case the transaction of web page files.

I hope this provides a loose meaning to what an SSL certificate is and how it works but should you have any question feel free to leave a comment at the bottom of this post.

With that in mind let's continue on with the tutorial.

Setting up Certbot

In order to create our SSL certificate, we will be installing a piece of software onto the server called Certbot.

Certbot is an easy-to-use automatic client that fetches and deploys SSL/TLS certificates for your webserver. Certbot was developed by EFF and others as a client for Let’s Encrypt and was previously known as “the official Let’s Encrypt client” or “the Let’s Encrypt Python client.” Certbot will also work with any other CAs that support the ACME protocol.

NOTE: The following steps are only for Apache on Ubuntu 16.04 (trusty).

First of all download the Certbot package using apt-get.

$ sudo apt-get install python-letsencrypt-apache

Once installed, I'll run the letsencrypt command for apache.

$ letsencrypt --apache

You'll now be taken through a series of GUI-like questions, you can proceed through these by using:

Arrow keys for navigation

Spacebar for selection

Enter for submission

The first question will ask you to tick the domains you'd like to encrypt. I'm going to assume you're not encrypting a subdomain so be sure to encrypt both www. and non-www. for those SEO gains.

Fig 3: Let's Encrypt installation - Part 1 - Choosing your domains

Next, you'll also be given the option to limit traffic only to HTTPS or to allow both HTTPS and HTTP. Depending on your website's goals you may opt for the more secure option, however, for 99% of cases I'd recommend going with the more flexible option of the two, as we can handle any redirects within our .htaccess file or similar depending on your setup.

Redirecting traffic to HTTPS

Now that we have our website setup behind an SSL certificate, we need to drive our users through it, as currently they can access both the secure and non-secure sites. As I mentioned in the previous section, we didn't go down the route of only allowing traffic through HTTPS as some users may try to go to the non-https equivalent.

Within my last post on Common .htaccess Redirect Rules I demonstrated how to redirect all traffic to HTTPS, so feel free to paste one of those solutions into your site's .htaccess file.

Renewing your certificate

One of the big differences between a normal Certificate Authority and Let's Encrypt is the renewal dates. As Let's Encrypt is an automated approach to SSL Certificates, they can only be issued for 90 days. This means that just before 90 days you need to make sure you renew your certificate. In addition, there are times where Let's Encrypt may need to revoke current certificates for security reasons, so its recommended to setup a cron job on your server to check for a renewal every day.

Luckily, Certbot makes renewals easy with the renew command. When running said command Certbot will check whether or not any Certificates on your server are up for renewal and if so they will be renewed.

$ letsencrypt renew

NOTE: Again, please remember the exact naming of these commands will depend on your server's setup.

Testing renewals

You can also test that the renewal command is working correctly by creating a test run using the --dry-run --agree-tos flags.

$ letsencrypt renew --dry-run --agree-tos

Assuming this went through successful, you'll end up with something like what I end up with testing this blog's certificate.

Automating renewals

The Certbot website recommends that you setup a Cron job (or your server's equivalent) that runs the letsencrypt renew command daily to ensure that your website does not go down.

Note: if you're setting up a cron or systemd job, we recommend running it twice per day (it won't do anything until your certificates are due for renewal or revoked, but running it regularly would give your site a chance of staying online in case a Let's Encrypt-initiated revocation happened for some reason). Please select a random minute within the hour for your renewal tasks.

Saving that file will setup a Cron job to run every day at 5am and 10pm. You can always change this to whatever you'd like by changing the command you added to your list. Personally, I can never remember the Cron syntax so I use an online editor such as www.crontab-generator.org.

Concluding thoughts

I hope this quick tutorial helps you to understand what an SSL certificate is a little more and how you can even set one up for your own site. Here's to many more free SSL certificates in the future!

Ed Baxter

Luke Whitehouse

Hey Ed, good question!

Yes there are definitely other options, Cerbot is just their recommendation. Luckily Let's Encrypt have some great documentation on their Getting Started page to help you out but the crux of it comes down to whether or not you have shell access (i.e. SSH).

If you do, you can take a look at the other ACME Client Implementations they have on their website. If not, you'll either want to check with your hosting provider to see if they support Let's Encrypt installation, otherwise you'll want to find a ACME client that supports manual certificate installation, like Certbot does (information for that can be found on their User Guide).